FCPA Compliance and Ethics Blog

November 28, 2014

The Network in Houston-FCPA Best Practices: Internal Controls & Compliance Risk Assessments

Filed under: Best Practices,FCPA,Internal Controls,Stephen Martin,The Network — tfoxlaw @ 10:43 am

Downtown HoustonWhen it comes to FCPA compliance, ethics and compliance professionals face the U.S. Sentencing Guidelines’ 7 Elements of an Effective Compliance Program; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the UK’s 6 Principles for “Adequate Procedures”; the 9 Hallmarks of Effective Compliance Programs according to the DOJ’s FCPA Guidance… and the list goes on.  It’s essential that companies routinely assess their organizations’ FCPA risk and ensure they have the proper internal controls to effectively comply with the law. If you want to know more about  Internal Controls & Compliance Risk Assessments I hope that you can join me next Thursday, December 4th in Hosuton. The Network is hosting is a complimentary, half-day event for a limited audience in the Houston area, where you’ll have the chance to hear from top ethics and compliance professionals including Stephen Martin, founder and managing director of Baker & McKenzie Compliance Consulting, and myself.

LEARNING OBJECTIVES

  • Baker McKenzie’s 5 Essential Elements of Corporate Compliance
  • Best practice compliance risk assessment methodology
  • How to avoid the 12 common pitfalls of compliance risk assessments
  • What a company’s obligations are regarding internal controls under the FCPA
  • What internal controls are required to meet this obligation
  • How you can determine which internal controls your company needs

AGENDA:

1:00 pm – Registration & Networking
1:30 pm – Welcome & Introductions
1:45 pm – Session 1: Conducting Effective Compliance Risk Assessments
3:15 pm – Networking Break & Solution Demos
3:45 pm – Session 2: Understanding Your Internal Control Obligations
4:45 pm – Group Discussion / Q&A
5:00 pm – Cocktail Reception

=================================================================================================================================================================================================

You can find out more about this exciting and informative event by clicking here.

November 13, 2014

Atlanta Burns – the Bio-Rad FCPA Enforcement Action – Part III

Atlanta BurningOn this date in 1864, the Union Army phase of the destruction of Atlanta began. While most Southerners credit Union General William T. Sherman with the burning of Atlanta, it was, in reality, Confederate General John Bell Hood who ordered the burning of the armament works that started the destruction. Sherman merely finished it. But whoever started or finished it, the result was horrific for the city. By one estimate, nearly 40 percent of the city was ruined, leaving, as one commentator noted, “little but a smoking shell.” Unfortunately for the Confederacy, this is not the last we will hear about either General Sherman or General Hood.

The Bio-Rad Laboratories Inc. (Bio-Rad) Foreign Corrupt Practices Act (FCPA) enforcement action has provided a wealth of information and lessons to be learned by the compliance practitioner. In Parts I and II I reviewed the facts of the Bio-Rad enforcement action and the specified remedial steps that the company has agreed to take. Today, I want to mine the Deferred Prosecution Agreement (DPA), the company received from the Department of Justice (DOJ) and the Securities and Exchange Commission’s (SEC) Order Instituting Cease-and-Desist Proceedings (Order) and detail the specific internal controls that I think might have helped the company. (I will really try not to get carried away and have a Bio-Rad, Part IV but there is tons of great stuff in this one so there is no telling as I begin to write this post where I might end up.)

For many managers the default mode is to stay within silos and, as noted by Andrew Hill in his article in the Financial Times (FT) entitled “The default mode for managers needs a reset”, that such persons are “suspicious of ideas that are “not invented here.” This may lead them to becoming “detached from the purpose, and even values, of the company.” This can be particularly true of changes required by an anti-corruption compliance program which many business development types fear will change the status quo in a manner, which “puts at risk predictable, comfortable routines.”

Even with the three different bribery schemes used by Bio-Rad in three different countries, some general statements can be made. Obviously the use of a third party representative in Russia was fraudulent. However a robust system of internal controls might not have only detected such conduct but also prevented it if the Emerging Markets Regional Manager and/or any of the team under him knew that they would be checked by a second set of eyes on what they were doing.

I will focus on four areas of internal controls that were sorely missing from the company during its bribery scheme heyday:

  • Delegation of Authority (DOA)
  • Maintenance of the vendor master file
  • Contracts with agents
  • Movement of cash / currency.

Delegation of Authority 

Your DOA should reflect the impact of FCPA risk (transactions and geographic locations) to result in higher levels of approval for matters involving agents and for funds transfers and invoice payments to countries outside the US. If properly prepared and enforced, the DOA can be a powerful preventive tool for FCPA compliance, unfortunately this is not often the case as very often the DOA is prepared without much thought given to FCPA risks.

Properly utilized in a FCPA risk based process, the DOA takes into account the increased risk posed by certain types of transactions and by certain geographic locations. The DOA then provides for a higher level of scrutiny for higher risk transactions. This means that the DOA should specify who must give the final approval for engaging agents. Yet the DOA might distinguish between approval of vendor invoices for “routine” third party representatives and those from high-risk third party representatives, such as agents. Finally, the DOA should be integrated into the accounts payable processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. Identifying high-risk third party representatives can often be done within the vendor master file so payments to them are identified for appropriate approval BEFORE they are paid.

Vendor Master File

The vendor master file can be one of the most powerful PREVENTIVE control tools. This file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. Electronic controls should be in place to block payments to any vendor for which vetting has not been approved. Manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all third party representatives have been approved before their information (and the vendor approval date) are input into the vendor master. Manual controls are also needed when “one time” third party representatives are submitted, when vendor name and/or vendor payment information changes are submitted.

Contracts with Third Party Representatives 

As demonstrated with the Bio-Rad enforcement action, contracts with agents are typically not integrated into an internal control system. They are left to operate on their own. Indeed in the case of Bio-Rad it is not clear if the compliance function had visibility into this process at all. However, to provide effective control, relevant terms of those contracts should be extracted and be made available to those who process and approve vendor invoices. This would also include a review of the commission rate for sales agents and the discount rate for distributors. To accomplish this, once the third party representatives are flagged as high-risk, and before any payments are made, the invoices are pulled for review and approval in accordance with the DOA. Such review would require that nonconforming service descriptions, commission rates, etc., must be approved not only by the original approver but also by the person so delegated in the DOA. This provides the necessary PREVENTIVE control to intercept questionable amounts before they are paid.

Disbursements of funds

All situations in which funds can be sent outside the US (accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a FCPA risk standpoint. The goal is to identify the ways in which a country manager could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system. Controls need to be in place to prevent such activities. This would require that wire transfers outside the US have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA. Moreover, wire transfer requests going out of the US should always require dual approvals. Finally, wire transfer requests going outside the US should be required to include a description of proper business purpose and over certain level, there should be an additional review (yet another ‘second set of eyes’).

What about Hill and his default mode for managers to stay in their silos and never come out or allow change in their regions, such as was the case with the Bio-Rad Emerging Markets leadership team? This can occur in the compliance arena when the compliance function receives push back and is told the controls are too burdensome and also make operations less efficient. One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of a FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

  • Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
  • Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
  • With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
  • As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
  • It may be possible to build in more electronic controls, which can replace existing manual controls.

As we end today’s post with Atlanta burning, Andrew Hill tearing down silos so that a company like Bio-Rad can put appropriate FPCA internal controls in place and arm the compliance practitioner with a wealth of information and lessons which can be applied to your own compliance program, all courtesy of Bio-Rad, I find that there is one more significant lesson to be taking away from this enforcement action, however I will save that for another day.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 12, 2014

John Doar and the Bio-Rad FCPA Enforcement Action – Part II

John DoarJohn Doar died yesterday. He was perhaps most famously known for his role as the House Judiciary Committee Chief Counsel during the investigation of and impeachment proceedings against then President Nixon. However, it was his role in the civil rights movement in the South that in large part inspired me to become a lawyer. He rode with the Freedom Riders in Alabama; walked with James Meredith so that he could register to attend the University of Mississippi, then stayed in the same dorm room with Meredith while the campus rioted; prosecuted the KKK in Mississippi after the murder of three civil rights workers in 1964; and marched for voting rights with Dr. King in Selma. My favorite John Doar story was retold in his obituary in the New York Times (NYT), where he stopped a riot in its tracks with the following ““My name is John Doar — D-O-A-R,” he shouted to the crowd. “I’m from the Justice Department, and anybody here knows what I stand for is right.” That qualified as a full-length speech from the laconic Mr. Doar. At his continued urging, the crowd slowly melted away.”” In my book, he is right up there with Atticus Finch.

In an earlier post, I reviewed the Bio-Rad Laboratories, Inc. (Bio-Rad) Foreign Corrupt Practices Act (FCPA) enforcement action from the perspective of the Non-Prosecution Agreement (NPA) the company was able to secure with the Department of Justice (DOJ). Today I want to review the bribery schemes that the company used to either internally fund the bribes or attempt to evade internal detection. Both the NPA and the Securities and Exchange Commission’s (SEC) Order Instituting Cease-and-Desist Proceedings (Order). The compliance practitioner can use these bribery schemes not only for FCPA training but also to see if any such schemes or their indicia may be present in your company.

Initially I need to discuss the corporate structure. It was apparently quite decentralized. According to the Order, “Bio-Rad’s international sales organization (“ISO”) oversees the company’s international sales operations; this includes all locations outside the United States and Canada. In 2009, the ISO consisted of four sub-divisions: (1) Western Europe; (2) Asia Pacific; (3) Japan; and (4) Emerging Markets. Each sub-division had a general manager, reporting to the vice-president of ISO. The Asia Pacific sub-division included Vietnam and Thailand. The Emerging Markets sub-division included Russia and other eastern European countries. Some countries within the sub-divisions had a country manager who reported to the ISO sub-division general manager.” Emerging markets is clearly a high-risk area for pharmaceutical companies. If your business development or sales organization has such a designation, I would suggest that you check and see if there are sufficient protections in place to at least raise any red flags, which might need further investigation.

However, it was more than the management structure of the business operations that was decentralized, the compliance function was similarly structured. The NPA stated, “BIO-RAD also decentralized its compliance program such that its international offices were responsible for ensuring adequate compliance with its business ethics policy and code of conduct.” This decentralization so defanged the company’s compliance program that it could not perform even the most basic functions of a compliance organization; no due diligence on third parties, indeed no management of third parties at all from the compliance perspective; no risk assessments were performed and, finally, the most damning was that the compliance function could not even ensure compliance with the company’s own business ethics policy.

The Russia Scheme

However the company used third party representatives to facilitate the bribery scheme. In addition to the lack of due diligence or usual steps that a compliance practitioner might put in place to manage third parties under the FCPA there were several other items of note which constitute lessons learned by the compliance practitioner. First and foremost was the commission rate paid to these third parties, that being between 15%-30%. This alone may well have been enough to demonstrate “a conscious disregard for the high probability that the Russian Agents were passing along at least a portion of their commissions to Russian government officials to obtain profitable public contracts for the sale of medical diagnostic equipment.” Further, the payments made to these agents were sent to countries outside Russia, where neither the alleged services were delivered nor where the agents were legally domiciled. Moreover, not only did these agents have no offices in Russia, they had no employees in Russia either.

Apparently there were contracts in place with these agents. The services these agents were specified to deliver included, “acquiring new business, creating and disseminating promotional materials to prospective customers, distributing and installing products and related equipment, and training customers.” But it really is hard to deliver services if you have no employees. Apparently there were times these agents did deliver something identified as “distribution services” for the commission rates between 15%-30%. However the estimated value of these services for the company was between 2%-2.5% of the total sales.

Another area of obvious concern should have been the pre-payment of commissions to these agents. Any time you pre-pay before a service is delivered (other than a retainer into a lawyer’s trust account) you can potentially run into trouble. But Bio-Rad took it a step further by making pre-payments before contracts with the ultimate buyer were negotiated. Any ideas where those pre-paid commissions might have gone? Another area was the amount of the commissions. They were just less than $200,000, which happened to be the authority level of the head of Bio-Rad’s Emerging Markets business unit. So there was no oversight or second set of eyes on these pre-payments because it was within the manager’s authority level. Finally, these pre-payments were actually forbidden under the contracts but they were made anyway.

The Vietnam Scheme 

The Vietnam Country Manager had contracting authority up to $100,000 and sales commissions up to $20,000. From 2005-2009 Bio-Rad apparently paid bribes directly to health care workers so they would purchase the company’s products. When it was pointed out to the Country Manager this was illegal, he simply moved to a distributor “at a deep discount, which the distributor would then resell to government customers at full price, and pass through a portion of it as bribes…Between 2005 and the end of 2009, the Vietnam office made improper payments of $2.2 million to agents or distributors, which was funneled to Vietnamese government officials. These bribes, recorded as “commissions,” “advertising fees,” and “training fees,” generated gross sales revenues of $23.7 million to Bio-Rad Singapore.” 

The Thailand Scheme

In Thailand, it was an almost mundane bribery scheme involved compared to Russia and Vietnam. Bio-Rad acquired an interest in a Thai Joint Venture (JV) through an acquisition where it performed “very little due diligence” on the JV. Bio-Rad acquired a minority interest in the JV and it did not communicate directly with the JV’s distributors but only through the majority owners of the JV. The bribery scheme was funded through “an inflated 13% commission, of which it retained 4%, and paid 9% to Thai government officials in exchange for profitable business contracts.” The due diligence was so poor that Bio-Rad did not know that the prime third party sales representative for the JV were the same majority owners of the JV.

Tomorrow, I will discuss some of the internal controls that a company might employ to help prevent such a compliance failure as occurred at Bio-Rad.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 20, 2014

Internal Controls Outside the US – Part IV

NavigatingThis post will conclude a short series I have presented on the issue of internal controls outside the US. I want to conclude by raising some ways in which a compliance professional can work to implement internal controls in a multi-national organization. As with my entire series on internal controls, I rely on internal controls expert Henry Mixon for guidance on this topic. 

Mixon advises that the first step is to convert your company’s Foreign Corrupt Practices Act (FCPA) risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

Mixon provided an example of how the process might work in the situation where the FCPA risk is that a third party representative may be paid for an invoiced amount before that third party representative has gone through your company’s full third party approval process. Mixon began by noting that your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Mixon suggests that the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and will be told the controls are too burdensome and also make operations less efficient? I inquired from Mixon how he might suggest this situation be dealt with going forward. Fortunately for us, this is something that Mixon has observed many times and is very familiar with the issue as many employees see internal controls only as an added burden. Moreover, many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of an FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Mixon also advises that the premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, Mixon believes that it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

  • Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
  • Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
  • With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
  • As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
  • It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

Mixon believes that there are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Mixon cited to the example of internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

I hope that you have benefited from these posts on internal controls outside the US. I clearly believe that the price for noncompliance can easily be substantially greater than the cost to assess and implement good internal controls. But good FCPA internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 17, 2014

The Mummy and Internal Controls in Locations Outside the US – Part III

The Mummy-Hammer FilmsToday we celebrate Hammer Film’s version of The Mummy. This was the first film that the Hammer studios made under a license agreement with Universal Pictures, the holder of the copyright of its classic monsters from the 1930s and 1940s. This version starred the duo of Peter Cushing and Christopher Lee. Changing the storyline from the original Universal Picture version, the Hammer version brought the Mummy back to England from Egypt where his apparent sole purpose was to wreak havoc and kill those who violated the tomb of his beloved Princess Anck-es-en-Amon. This is somewhat confusing as the movie makes clear that Cushing did not desecrate the tomb because he was laid up with a broken leg at the time, which caused him to limp the remainder of the movie. It was Cushing’s father and uncle, who did come to grief at Lee’s hand back in jolly old England, who initially entered the tomb. But one thing about Hammer Films, internal consistency was never allowed to get in the way of a good story.

Perhaps as Hammer Films got carried away, I did as well (yet again). I know I said I was going to put together a three-part series on internal controls for locations outside the US but it has turned into a four-part series. In parts I & II I reviewed some of the risk considerations that a compliance professional should contemplate regarding business units outside the US. I also discussed how to perform a Location Risk Assessment. In Part II, I will review how to use this assessment as a tool to provide a structured approach to establishing effective internal controls. I will conclude with Part IV where I will discuss how to implement worldwide controls in a company where each foreign location has a distinct set of operations issues and uses different ERP / accounting software systems. Once again, I rely on internal controls expert Henry Mixon for guidance in this area.

After preparation of Location Risk Assessments, the next step is to prioritize the listing of the risks and which locations they are common to. Mixon advises the need to map existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks. To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the Location Risk Assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.

 One of the biggest risks under the Foreign Corrupt Practices Act (FCPA) is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high FCPA compliance risk. The recent Securities and Exchange Commission (SEC) FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents. The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents we previously discussed. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties (SODs)? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or corporate be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented?

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company. The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared.

 These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or FCPA compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs. Think of a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.

Next week I will conclude this series on internal controls for your business locations outside the US with some thoughts on how a compliance practitioner might go about implementing these controls and responding to the inevitable pushback you will receive.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 14, 2014

Steve Bartman and Internal Controls Outside the US, Part II

BartmanToday, we note that 11 years ago, Steve Bartman entered the Chicago Cubs Hall of Infamy. For every baseball fan, if there was ever a but for the grace of God, go thee moment the sad saga of Bartman is it. The Chicago Cubs, who at that point had not played in World Series appearance in 58 years were five outs away from going to the 2003 Fall Classic. Bartman interfered with a ball he thought was in foul territory on the left field line but was in fact playable and about to be caught by Left Fielder Moisés Alou. His interference allowed the at-bat to continue and the batter got a hit. The Cubs fell apart and lost the game. Bartman was escorted from Wrigley Field by security guards as bloodthirsty fans hurled beer cans and other debris at his head. The next day, he went into hiding—but not before he told the press that “I’ve been a Cub fan all my life and fully understand the relationship between my actions and the outcome of the game – I am so truly sorry from the bottom of this Cubs fan’s broken heart.” Bartman lives in hiding to this day. Why is it a but for the grace of God moment? Because probably every baseball fan in the universe would have done what Bartman did and interfere by catching the ball, or at least trying to catch it.

Bartman’s story provides the starting point for today’s post. Last week, in Part I of this three-part series on internal controls for US company-business units which are located outside the US, I discussed some of the reasons why there might be such differences and provided a framework for thinking through how to assess the risk they might pose a company subject to the Foreign Corrupt Practices Act (FCPA). The framework I introduced in Part I was a Location Risk Assessment; today, I will discuss how to perform this assessment. Once again, I will rely on internal controls expert Henry Mixon for guidance in this area.

It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how the financial and operation structure outside the US is integrated with the corporate headquarters, or the US business unit’s financial and operation structure, if the foreign operation is part of a US business unit. Mixon suggested that you could begin with the Transparency International (TI) Corruption Perceptions Index (CPI) to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your operations at a location outside the US. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third party representatives are coming into a commercial relationship with your company through your supply chain.

Other areas of inquiry, which could be considered, include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the US and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which local disbursements are made in local currency and, of course, is there a local petty cash fund?

As with many other areas around internal controls, it is important to consider the local Delegation of Authority (DOA) and whether it is consistent with your corporate DOA. Mixon suggested that some of the considerations regarding the local DOA should extend to which corporate or US business unit approvals are required for transactions initiated locally, such as: (1) Approval of vendor invoices, (2) Disbursements of funds, including wire transfers; (3). Execution of facilities leases; (4) Execution of contracts with agents; and (5) Approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate segregation of duties at the local business unit level.

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment of customers? Are products drop shipped from US directly to the customers of the local operation? Are products drop shipped to distributors for delivery to the ultimate customer?

Hopefully you are already doing the above but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and if so, what were the results of the investigation? In the area of customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Mixon believes that some of these considerations would be an inadequate segregation of duties because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there is internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms, and update applications. This means that an employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.

It is not necessary to prove a bribe to have been paid in order to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. In the recent Securities and Exchange Commission (SEC) enforcement action against Smith & Wesson, that was the situation. The lack of effective internal controls, not the payment of a bribe, was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.

Mixon said that such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a Country Manager provides a true control as an approver; or where the Country Manager or the local Finance Manager has ability to conceal the true nature of transactions without detection by anyone else.

Another important area involves sales and compensation for the international business unit in question. On the sales side of the equation, Mixon suggested you review the three-year historical sales for the location and what are the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as what is the sales incentive compensation plan for local sales personnel and for the Country Manager; as this inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe in order to win a contract which results in a large sales incentive compensation to the employee.

All of these reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the Fraud Triangle, which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization – a fraud perpetrator always rationalizes that he / she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity – the perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment.

Steve Bartman has never spoken publicly about the event to this day. There has been no catharsis for him like the Red Sox fans gave Bill Buckner. But in the FCPA universe for your operations outside the US, you do not have to be a Bartman. In Parts I & II of this series, I have reviewed what some of the risks might be in your international locations that you do not have in your US domestic operations. In Part III, I will discuss how to use the Location Risk Assessment as a tool to provide a structured approach to establishing effective internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 30, 2014

Discipline and Rigor in Your Internal Controls

DisciplineIn a recent New York Times (NYT) Op-Ed by David Brooks, entitled “The Good Order”, he discussed how routine can lead to creativity. He cited to the example of three well-known authors whose habits included the following. “Maya Angelou would get up every morning at 5:30 and have coffee at 6. At 6:30, she would go off to a hotel room she kept — a small modest room with nothing but a bed, desk, Bible, dictionary, deck of cards and bottle of sherry. She would arrive at the room at 7 a.m. and write until 12:30 p.m. or 2 o’clock.” Another example was John Cheever, who “would get up, put on his only suit, ride the elevator in his apartment building down to a storage room in the basement. Then he’d take off his suit and sit in his boxers and write until noon. Then he’d put the suit back on and ride upstairs to lunch.” Finally, there was the example of Anthony Trollope, who “would arrive at his writing table at 5:30 each morning. His servant would bring him the same cup of coffee at the same time. He would write 250 words every 15 minutes for two and a half hours every day. If he finished a novel without writing his daily 2,500 words, he would immediately start a new novel to complete his word allotment.” Brooks thesis for his piece seemed to be summed up by a quote from Henry Miller (of all people), “I know that to sustain these true moments of insight, one has to be highly disciplined, lead a disciplined life.” Sort of gives a whole new meaning to the word ‘discipline’.

However moving back to somewhat salacious concepts, I thought about those words in the context of internal controls around a Foreign Corrupt Practices Act (FCPA) compliance program. Brooks’ thoughts on building and maintaining order inform today’s post. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. Once again relying on my friend and internal controls expert Henry Mixon I queried him about some of the other types of internal controls a company should consider around gifts, travel, business courtesies and entertainment.

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. Here Mixon believes that the Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense.

I asked Mixon about the situation where checks drawn on local bank accounts in locations outside the US “off books” bank accounts, commonly known as slush funds. Petty cash disbursements in locations outside the US – the unique control issues regarding locations outside the US will be discussed in a future podcast. Some petty cash funds outside the US have small balances but substantial throughput of transactions. In this instance, Mixon said that the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US.

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Mixon noted that internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. Mixon advises that you should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place.

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. Mixon cautions that if your company uses procurement cards, assume this to be a very high-risk area, not just for FCPA but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements.

An interesting analogy that Mixon used is that misbehavior, like water, seeks its own level. Mixon explained that this meant if the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which, Mixon noted, would be subject to stringent controls. He added that in such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the gifts/travel items to the appropriate level of review and requires appropriate documentation.

I inquired as to why a Compliance Officer relies on the audit controls that are in place regarding gifts because in many companies, internal audits of expense reports are common. Mixon noted that it is important to keep in mind that, with respect to gifts, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies.

I thought about one line in Brooks’ piece, which seemed to echo Mixon’s thoughts on internal controls, where Brooks wrote, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Mixon has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 29, 2014

TNG Premiers and Internal Controls for Gifts in a Best Practices Compliance Program

Star Trek TNGThis week, 27 years ago, Star Trek – The Next Generation (TNG) made its television debut. Rarely has there a follow up to a beloved original series (Star Trek – The Original Series (TOS)) that is equally treasured by fans. They say that your favorite Star Trek is the one you grew up with, so for me that is TOS and that will always be my most beloved Star Trek series, but for the younger generations TNG fills that bill. The series occurred some 70 years in the time after TOS so things were a bit different. One of the differences was on following the Prime Directive more rigorously. While Captain Kirk, who actually had a hand in drafting the Prime Directive, seemed to view it with situational ethics, Captain Picard was much more concerned about not violating it.

I thought about this evolution of the Prime Directive from TOS to TNG when considering what types of internal controls a compliance practitioner might consider in the area of gifts in a Foreign Corrupt Practices Act (FCPA) best practices compliance program. I have been continuing my exploration of internal controls with well-known expert Henry Mixon, Principal of Mixon-Consulting. Mixon believes that it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the criteria as defined and interpreted in Company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?

The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. Mixon cautions that in considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

Mixon believes that the key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. To help to answer this query, he posited that there are four issues to evaluate.

  • Is the correct level of person approving the payment / reimbursement for the gift?
  • Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  • Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  • If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Mixon believes that once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

Mixon believes the format itself of an expense report can go a long way toward prevention of violations of company policy. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

Mixon suggested two forms of representation, the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies regarding FCPA compliance. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts. Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Mixon noted that some companies have two basic forms of expense reports. One is for situations in which all items pertain to US locations and do not involve any expenses incurred outside the US or for benefit of persons outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Mixon believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Mixon ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.

While following the Prime Directive does not always lead to the result that the crew of TNG Enterprise desired; it did have the greater effect of allowing cultures and peoples to develop without interference. Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Mixon has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. Just as Star Trek’s Prime Directive had an ultimate purpose, if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 24, 2014

Lessons from GSK in China – Internal Controls, Auditing and Monitoring

InvestigationsOne of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK); I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.

One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations? The numbers went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Internal Controls

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Auditing Lessons Learned

Following Mixon’s point 4 above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept ‘off the books’? This is where internal audit or outside auditors are critical. Hirschler quoted an un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.”” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine, however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

Ongoing Monitoring

A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article, entitled “Glaxo Probes Tactics Used to Market Botox in China”, that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, thus creating a red flag that can be tagged for further investigation.

GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s miss-steps going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.